Cyber Drishti

  Buer Loader provides malware-as-a-service       Buer is a malware-as-a-service offering that is used to deliver whatever package the service customer desires, providing initial compromise of targets’ Windows PCs and allowing them to establish a digital beachhead for further malicious activity. Buer has previously been tied to banking trojan attacks and other malware deployments—and now, apparently, has been embraced by ransomware operators. In many ways, Buer is positioned as an alternative to Emotet and Trickbot’s emerging Bazar loader. “A new modular bot…written in pure C” with command and control (C&C) server code written in .NET Core MVC (which can be run on Linux servers). Indicators of Compromise File Hashes 10943b90969722bf359e4b039d2953e02072e03e0a7f1bdb1dea09d9197288b1 32616f41a71fc7a4286736a6fc77da2a555dbc8301a8bd5fbdbab231955a42c5 5b607f001ba62e042344d30b65cad2774df2deb50e0b92c33da85e9338c123c4   6c7f43434e5db8703c0a47dedeeab976159d8704bfb...

  Tech Support Scam Campaign Abuses XSS Vulnerability          Links posted onto social media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content. For this reason, you might see a disclaimer when you click on a link, warning you that it could be spam or dangerous. Tech support browser lockers continue to be one of the most common web threats. Not only are they a problem for end users who might end up on the phone with scammers defrauding them of hundreds of dollars, they have also caused quite the headache for browser vendors to fix. Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content. Indicators of Compromise Bitly links bit[.]ly/2BnL1gb bit[.]ly/2BT9fyU bit[.]ly/2Ci8vU7 bit[.]ly/2CmSeNo bit[.]ly/2CYEQ2V bit[.]ly/2D1Xt64 bit[.]...

  India Android & MacOS Users Targets by GravityRAT Spyware       The GravityRAT campaign uses the infection methods — targeted individuals are sent links pointing to malicious apps. The new GravityRAT campaign is multiplatformity. besides Windows, there are now versions for Android and macOS The cybercriminals also started using digital signatures to make the apps look more legitimate. GravityRAT, a spying remote access Trojan (RAT) known to target devices in India, in an attack campaign against Android and macOS devices. Its creators are believed to be Pakistani hacker groups. The spyware’s functions are fairly standard: it sends device data, contact lists, e-mail addresses, and call and text logs of the infected machine to the C&C server. In addition, the Trojan searches for files in the device memory and on connected media with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus, and sends these...

    Trick Bot Gang Operators Targeting using Stealthy Cybercrime Weapon- "Front Door" into BazarBackdoor   The TrickBot gang operators are increasingly targeting high-value targets with the new stealthy BazarLoader trojan before deploying the Ryuk ransomware. The BazarLoader's strength lies in its stealthy core component and obfuscation capability. The malware's goal is to plant on the high-value targets and reach the server currently via the proxy and the domain generation algorithm on the EmerDNS domain protocol, searching for .bazar domains and resolving the server via the XOR function of the response IP address. The malware aimed to be stealthy and only load more advanced functionality via third-party components. Such stealthiness allows the crime group to maintain persistency on the host even if the third-party software gets detected by anti-virus software. Indicator of Compromise File Hashes SHA256:    8c99069bcb559bf7d9606af7ba1538cc8bacd79b4f3846f7...

        Attackers Targeting Teachers with Ransomware Disguised as Class Assignments   Students and school systems have faced unique problems this year, and these messages take advantage of widespread technological difficulties accompanying online learning. The messages pose as a parent or guardian submitting an assignment on a student’s behalf, claiming that the student has encountered technical issues when trying to submit the assignment themselves. This campaign was very small, this and other actors may continue using themes of technology issues and online learning to lend legitimacy and urgency to their lures. The targets of this campaign were individual teachers, their email addresses likely pulled from public pages of a school website. Masquerading as the assignment is an attached malicious document that leads to the download of a custom ransomware payload. These messages seek to take advantage of widespread technology issues facing students, their families...

    Virtual Conference Platforms Targeted by Credit Card Skimmer   We all know that there are many ingenious methods to steal money online, and here one of the most sought-after means and objects by hackers is the online credit cards. There are many security incidents affecting different websites simultaneously because they were loading the same tampered piece of code. In many instances, this is due to what we call a supply-chain attack, where a threat actor targets one company that acts as an intermediary to others. Indicator of Compromise playbacknows[.]com/playback/index.js Compromised sites                      playbacknar[.]com                   naraei[.]playbacknow[.]com   nais[.]playbacknow[.]com       nasmm[.]playbacknow[.]com    ...

  Mobile network operator falls into the hands of Fullz House criminal group   Generally, online shops selling various goods are the victims of Magecart-based attacks. However, we come across different types of businesses again, which were affected because they are unsafe & open to attack. Based on the available information, the criminals related to the Fullz House group inject the malicious code into the platform and thereby capture data from unaware online shoppers. Generic phishing to sell "fullz," a slang term used by criminals and data resellers meaning full packages of individuals' identifying information on their store called "BlueMagicStore.". Indicators of Compromise Domain google-standard[.]com bing-analytics[.]com google-money[.]com google-sale[.]com paypal-assist[.]com paypal-debit[.]com connect-facebook[.]com cdn-jquery[.]com google-assistant[.]com paypalapiobjects[.]com google-tasks[.]com jquery-insert[.]com googleapimanager[.]com IP 8.208.79.4...